Wireless communication standards continue to evolve. For example, in the cellular context, standards are currently evolving from third generation (3G) standards to fourth generation (4G) standards. The 3G standards include GSM and UMTS standards promulgated by an organization known as the 3G Partnership Project (3GPP) and CDMA2000 standards such as High Rate Packet Data (HRPD) promulgated by an organization referred to as 3GPP2. The 4G standards currently under development by 3GPP are generally referred to as Long Term Evolution (LTE) standards. The 3GPP and 3GPP2 specification documents, including, for example, 3GPP2 Specification No. A.S0008-0 v4.0, “Interoperability Specification (IOS) for High Rate Packet Data (HRPD) Radio Access Network Interfaces with Session Control in the Access Network,” May 2007, are freely available online and are incorporated by reference herein in their entirety.
LTE networks will make use of an Internet protocol (IP) based packet core referred to as Evolved Packet Core (EPC). In order to facilitate the transition to LTE networks, 3GPP2 has developed what is referred to as enhanced HRPD (eHRPD), which allows HRPD access networks to utilize the LTE EPC. Such HRPD access networks are also referred to herein as eHRPD access networks.
The eHRPD approach utilizes an HRPD Serving Gateway (HSGW) to interface eHRPD access networks to the LTE EPC. The HSGW provides interworking between the eHRPD access networks and a Packet Data Network (PDN) of the EPC. For example, the HSGW may interface with a PDN gateway (PGW) of the EPC. The HSGW may be implemented as a separate network element, or alternatively may be viewed as comprising or being incorporated into a Packet Data Serving Node (PDSN) in the access network.
The 3GPP LTE standards generally require the use of a specially-formatted authentication protocol when allowing access to the EPC from a non-3GPP system such as an eHRPD access network. This authentication protocol is carried out between a mobile station or other user equipment associated with the non-3GPP system element and an authentication server of the EPC using an authenticator that in the eHRPD context typically comprises the HSGW. The authentication protocol generally involves key derivation in which keying material is bound to appropriate context information.
Conventional techniques for generating session keys upon successful completion of the authentication protocol are disclosed in 3GPP2 Specification No. C.S0067, “Generic Key Exchange Protocol for cdma2000 High Rate Packet Data Air Interface,” Version 1.0, November 2005, which is incorporated by reference herein. A single iteration or “instance” of the GKE protocol generates single security association based on a Pairwise Master Key (PMK) as well as nonces that are exchanged between the mobile station, also referred to as an “access terminal,” and an access network element such as a Radio Network Controller (RNC). The GKE protocol ensures that the access terminal and the access network element have the same PMK. The PMK may be derived from a Master Session Key (MSK) computed in conjunction with the authentication protocol.
A given instance of the GKE protocol requires a bidirectional exchange of nonces between the access terminal and the RNC. A corresponding session key is generated by applying a cryptographic Key Derivation Function (KDF) to a concatenation of the PMK with an access terminal nonce and an access network nonce.
The above-described conventional techniques can be problematic in the case of handoffs that may occur within a particular session. For example, there may be a handoff of an ongoing call from one base station to another base station as the mobile station moves within the system. It is also possible that there may be a handoff of an ongoing call from one RNC to another RNC, or from one HSGW to another HSGW.
In the case of a handoff from one base station to another, one possible approach is to repeat the authentication and GKE protocols for each such handoff. This is clearly undesirable in that it imposes additional computational burdens and can also introduce significant amounts of delay in completing the handoff.
Another possible approach is to generate one or more secondary session keys from a given primary session key associated with a single instance of the GKE protocol. Although this approach advantageously avoids repeating the authentication protocol and the GKE protocol for each handoff, it can undermine system security, as secondary keys are typically not as cryptographically strong as the primary keys from which they are derived. Furthermore, if the primary keys are compromised, all sets of secondary keys derived from those primary keys will also be compromised.
It is also possible to perform multiple instances of the GKE protocol to generate respective multiple security associations for a given authentication of the mobile station in advance of any handoffs. However, this approach is inefficient and may unduly limit the performance of the system.
A further drawback of conventional practice is that the various techniques mentioned above fail to adequately address the issue of handoffs between other network elements, such as from one RNC to another RNC, or from one HSGW to another HSGW.
Similar problems exist in numerous other communication system contexts, such as any system comprising visited network and home network gateways where mutually authenticated session key agreement protocols are utilized to establish session keys.